If the data leak explosion of 2014 has proved anything, it is that these methods can no longer be trusted. Signatures have never been easy to definitively prove or disprove, while advances in scanning and printing technology have made forgery of supporting documentation cheap, fast and simple. Supposedly private information, such as social security numbers or card numbers, have been leaked in their billions over the last few years, in many cases with the associated usernames and passwords attached. Several major data breaches, such as the Adobe leak of late 2013, have affected hundreds of millions of online accounts in a single instance. It is therefore imperative that we find a better way of identifying ourselves and our citizens, clients or customers. Guidelines released in late 2014 by the European Banking Authority1 recommend ‘strong customer authentication’ for all online commerce transactions by mid-2015, defining this authentication as two of the three standard pillars of two-factor authentication: ‘Something you know, something you have, something you are.’ If this becomes standard in e-commerce and banking it is almost certain that all other areas of online authentication will follow suit. Biometric techniques, the ‘something you are’ component, use features of our bodies, such as fingerprints, eye patterns, voice tones and facial features, among others. Implementations of these measures continue to evolve and become more usable, with at least two major projects working on standardising and unifying various approaches, but these all require some sort of technology to read the data from the physical world and convert it into digital information. This will inevitably be more expensive than simple signatures or passwords. Furthermore, with so many approaches being developed there is still no sign of a single universal method emerging. Add to this the remaining problem of theft and impersonation – while a leaked password can be changed, it’s considerably harder to change one’s fingerprints – and it seems unlikely that biometrics will become a universal solution, at least in the near future. The most widely used alternative form of second-factor authentication, one-off codes sent via SMS or generated by dedicated devices or smartphone apps are more likely to be viable on a large scale in the short term, but these are also subject to interception or manipulation. Android smartphones in particular have become a major target for malware, much of which tries to sit invisibly in between phone users and their banks to steal credentials, spoof or steal one-time codes, and hijack banking sessions. These systems require some effort to implement but are becoming more and more available to web developers in the form of simple ‘plugins’: pre-built modules which can be added to C y b e r s e c u r i t y standard website building systems. This in itself may present a further danger, as poorly implemented or misconfigured systems can lead to flawed and unreliable authentication. They also require access to a phone or code-generating device, but compared to biometric readers these are much simpler, cheaper and more widely used by the general population, with many banks already deploying some form of one-time code system. It seems likely that, within the next year or so, many governmental bodies will need to deploy this sort of approach to properly authenticate people accessing their services online, with everything from tax filing and voter registration to health and welfare services open to abuse if not properly secured. Addressing the issue of cybercrime The steady increase in both malware and cybercrime has highlighted the need for cross-border co-operation and resource and information sharing to assist in tracking down those behind digital crimes and bring them to justice. The availability of ‘bulletproof’ hosting services in some regions makes crooks feel immune to the justice systems of the nations they attack; as such diplomatic efforts to eradicate these safe zones must continue. As well as prosecuting criminals, there is a great need to better regulate how attacks and compromises are recorded and measured, since the scale of the problem is still obscured by a lack of detailed and reliable information. While breach notification laws continue to evolve, the reporting of online crimes remains limited, impeded by lack of clarity on who to report such incidents to and, in many cases, considerable unwillingness on the part of victims to own up to losing control of systems, data and, indeed, money. Once the current swathe of problems linked to online security is mopped up, there will remain much to be done to limit future issues. Last year revealed several severe issues in the basic underpinnings of the internet itself, most notably ‘heartbleed’ and ‘shellshock’ vulnerabilities, as well as the regular security flaws in just about every commonly used piece of software. To keep us from suffering further shocks in the future it is imperative that regulators, buyers and users put pressure on software developers, both commercial and open source, to implement better practices to reduce the frequency and severity of such problems, and to build security into everything from the very start. As the ‘internet of things’ brings online connectivity to household equipment, the penetration of computer networks into our everyday lives grows ever deeper and the need to keep them safe, reliable and secure becomes paramount. Endnotes 1 See www.eba.europa.eu/-/eba-issues-guidelines-to-strengthenrequirements for-the-security-of-internet-payments-across-the-eu. Commonwealth Governance Handbook 2014/15 103 JOHN HAWES is chief of operations at Virus Bulletin, the leading online publication on malware and computer security, where he has been running the world-renowned VB100 certification scheme for anti-malware solutions since 2006. He also sits on the board of directors of the Anti-Malware Testing Standards Organisation (AMTSO) and the board of managers of the Clean Software Alliance, and is a regular contributor to the Naked Security blog. Virus Bulletin conference The 25th Virus Bulletin International Conference (VB2015) will take place from 30 September to 2 October 2015 at the Clarion Congress Hotel in Prague, Czech Republic. The VB conference is the premier anti-malware and IT security conference, at which the brains of IT security from around the world gather to learn, debate, pass on their knowledge and move the industry forward. The event provides three full days of learning opportunities and networking with industry experts, and covers all aspects of the global threat landscape.
CEP template 2012
To see the actual publication please follow the link above